SAML authentication backend

Since LemonLDAP::NG 1.0rc1

Presentation

LemonLDAP::NG can used SAML2 authentication to get user identity and grab some attributes defined in user profile on its Identity Provider (IDP). In this case, LemonLDAP::NG acts like an SAML2 Service Provider (SP).

Several IDPs are allowed, in this case the user will choose the IDP he wants. You can preselect IDP with an IDP resolution rule.

For each IDP, you can configure attributes that are collected. Some can be mandatory, so if they are not retruned by IDP, the session will not open.

Configuration

SAML Service

See SAML service configuration chapter.

Authentication and UserDB

In General Parameters > Authentication, set: As passwords will not be managed by LL::NG, you can also go in General Parameters > Portal :

Register LemonLDAP::NG on partner Identity Provider

After configuring SAML Service, you can export metadata to your partner Identity Provider. They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata.

Register partner Identity Provider on LemonLDAP::NG

In the Manager, select node Identity Providers and click on New metadatas:

manager-saml-idp-new.png

The IDP name is asked, enter it and click OK.

Now you have access to the IDP parameters list:

manager-saml-idp-list.png
Metadata

You must register IDP metadata here. You can do it either by uploading the file, or get it from IDP metadata URL (this require a network link between your server and the IDP):

manager-saml-idp-metadata.png

You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value.
Exported attributes

For each attribute, you can set: manager-saml-idp-attribute.png
Options
General options
For example, to preselect this IDP for users comming from 129.168.0.0/16 network:

$ENV{ =~ /^192.168/
Authentication request
Session
Signature


These options override service signature options (see SAML service configuration).
Binding
Security